*SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.

[logreg]

Privet everybody,

Android clients support DH2 (modp1024) and not support DH14(2048).

in OPNsense web settings: VPN: IPsec: Tunnel Settings for VPN:  DH key group = 2(1024 bits)

but in IPsec log:

Dec 13 15:10:05    charon: 16[IKE] <146> negotiated DH group not supported

How to enable DH2 support?

OPNsense 18.7.4-amd64

[mimugmail]

Do you have a different setting in mobile vpn page?

[logreg]

settings

[mimugmail]

For Android always use AES256, a mix of SHA1 and 256 and DH2.
I tested this successfully.

[logreg]

I tried that, but still "Dec 14 09:37:26   charon: 05[IKE] <160> negotiated DH group not supported"

[mimugmail]

contents of /usr/local/etc/ipsec.conf please ...

[logreg]

root@OPNsense:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""
conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = xx.xx.xx.xx
  right = %any
  leftid = xx.xx.xx.xx
  ikelifetime = 86400s
  lifetime = 28800s
  rightsourceip = 192.168.254.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha1!
  auto = add
root@OPNsense:~ #

[logreg]

I found that DH2 disabled in new versions of Strongswan (because insecure). And now it is impossible to connect Android devices with DH2? Or it is possible to enable DH2?

[mimugmail]

No, it looks good, DH2 = MODP1024.
Can you show some more logs and not just this line?

[logreg]

root@OPNsense:~ # cat /var/log/ipsec.log
...
Dec 14 10:27:19 OPNsense charon: 14[CFG] added configuration 'con1'
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (476 bytes)
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received NAT-T (RFC 3947) vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received XAuth vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received Cisco Unity vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received FRAGMENTATION vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received DPD vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> Android_IP is initiating a Main Mode IKE_SA
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> generating ID_PROT response 0 [ SA V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (160 bytes)
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (228 bytes)
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 11:51:31 OPNsense charon: 14[IKE] <205> negotiated DH group not supported
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> generating INFORMATIONAL_V1 request 2040954333 [ N(INVAL_KE) ]
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (56 bytes)
root@OPNsense:~ #

[mimugmail]

In Phase1, can you set SHA1+SHA256 and DH2+DH14?

[logreg]

How?
in web-interface i can choise only one of them.

[mimugmail]

Then you're not on the latest version ...

[logreg]

Really, after upgrading 18.7.4 -> 18.7.9  android with DH2 was able to connect (charon: 11[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024)
Thanks a lot.
Topic can be deleted.

[mimugmail]

You can add *SOLVED* in the topic